The scariest part isn’t even the backdoor itself, it’s how normal the acquisition looked.Buying a trusted plugin and pushing an update is basically indistinguishable from legitimate maintenance. There’s no real signal for users to question it